It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URls in a clear attempt to improve their click-through rates.

Once executed, the malware phones back to 216.38.12.158:8080/mx/5/B/in (recipe.devrich.com, AS32181). Another domain is known to have been responding to the same IP in the past, namely, hxxp://imanuilletapchenko.ru:8080/html/yveveqduclirb1.php